How to Do a Free Cybersecurity Check-Up on Your Small Business

How to Do a Free Cybersecurity Check-Up on Your Small Business

You don't need to hire a consultant or buy an expensive tool to understand the state of your business's cybersecurity. Here's a practical DIY check-up you can do in under an hour — completely free.

The 10-point check-up:

1. Are all accounts using MFA? (10 minutes) Open each of your key business platforms: email, accounting, banking, cloud storage, CRM, project management. Check whether MFA is enabled for all users. If not, enable it.

2. When were passwords last changed? (5 minutes) If your key accounts haven't had password changes in over 12 months, rotate them. Use a password manager to generate new, strong, unique passwords.

3. Is there a software update pending? (5 minutes) Check your computers, mobile devices, and key applications for pending updates. Update everything. Set automatic updates where possible.

4. Are your backups current? (5 minutes) When did you last back up your critical business data? Is the backup in a different location than the original (ideally cloud + offline)? Test your backup by actually restoring a file from it.

5. Check email forwarding rules (2 minutes) Log in to your business email admin console and check for unexpected forwarding rules on any account. This is a common post-compromise persistence technique.

6. Who has admin access to what? (10 minutes) Review who has admin-level access to your key systems. Remove admin access from anyone who doesn't need it. Former employees should have zero access.

7. Is your domain email authenticated? (5 minutes) Ask your IT provider or domain host whether SPF, DKIM, and DMARC are configured on your domain. If they aren't, ask them to set them up.

8. Do you have a cyber incident plan? (5 minutes) Does your team know what to do if they click a phishing link or suspect a breach? Even a simple written process (who to call, what to do first) is better than nothing.

9. Has your team had any security awareness training this year? (2 minutes) If not — send them to Phishbate. It's free, it takes 10 minutes, and it builds genuine recognition skills.

10. When did you last check your cyber insurance? (5 minutes) If you have a business insurance policy, check whether cyber coverage is included. If not, speak to your broker.

Scoring yourself:

• 8-10: You're doing well. Keep the habits going.
• 5-7: Some good practices, some gaps. Prioritise the missing items.
• Under 5: You have meaningful exposure. Start with MFA and work through the list.

The ACSC has a free tool for this too

The Australian Cyber Security Centre's Small Business Cyber Security Guide and the accompanying Assessment Tool at cyber.gov.au are excellent free resources. Worth bookmarking.

Add phishing awareness to your check-up results at Phishbate →